server side request forgery vulnerability in a custom api endpoint because someone thought it was a good idea to expose the underlying http client instance to the application code ugh